Week1 web Level 24 Pacman 直接去找源码,控制台赋值 _SCORE=100000 _LIFE=true; 得到之后进行base64,栅栏密码解密 Level 47 BandBomb 上传恶意EJS文件 创建一个包含EJS代码的文件,内容为读取flag的代码: aaa.ejs <%= process.env.FLAG || require('fs').readFileSync('/flag', 'utf8') %> 使用POST请求上传此文件到/upload接口。 ...
春秋杯冬季赛2025 个人题解
Newstar2024 个人题解
总排第28名,后续会对web复现 week1 Misc 签到题 公众号发对应内容就可以得到flag Rasterizing Traffic 给的流量包,wireshark导出全部内容,中间的三个flag拼接是假的 ...
前言:总排23,新生赛道11 Round 1 crypto [round1]BREAK e有范围,由于e的范围不算大,可以进行爆破得到e,求出d,解出flag from Crypto.Util.number import * from gmpy2 import invert, gcd p = 112201812592436732390795120344111949417282805598314874949132199714697698933980025001138515893011073823715376332558632580563147885418631793000008453933543935617128269371275964779672888059389120797503550397834151733721290859419396400302434404551112484195071653351729447294368676427327217463094723449293599543541 q = 177020901129489152716203177604566447047904210970788458377477238771801463954823395388149502481778049515384638107090852884561335334330598757905074879935774091890632735202395688784335456371467073899458492800214225585277983419966028073512968573622161412555169766112847647015717557828009246475428909355149575012613 c = 2924474039245207571198784141495689937992753969132480503242933533024162740004938423057237165017818906240932582715571015311615140080805023083962661783117059081563515779040295926885648843373271315827557447038547354198633841318619550200065416569879422309228789074212184023902170629973366868476512892731022218074481334467704848598178703915477912059538625730030159772883926139645914921352787315268142917830673283253131667111029720811149494108036204927030497411599878456477044315081343437693246136153310194047948564341148092314660072088671342677689405603317615027453036593857501070187347664725660962477605859064071664385456 n = p * q phi = (p - 1) * (q - 1) def generate_primes(start, end): primes = [] for num in range(start, end + 1): if isPrime(num): primes.append(num) return primes for e in generate_primes(55555, 66666): if gcd(e, phi) == 1: try: d = invert(e, phi) m = pow(c, d, n) flag = long_to_bytes(m).decode('utf-8') print(f"找到 e = {e}, 解密后的 flag: {flag}") break except ZeroDivisionError: continue # 如果 invert 失败,则继续尝试下一个 e except UnicodeDecodeError: continue # 如果解码失败,则继续尝试下一个 e # YLCTF{fbb6186c-6603-11ef-ba80-deb857dc15be} [round1]signrsa RSA 模数 n1 和 n2 之间有公因子 q,从而使得可以分别对这两个模数进行分解,然后使用对应的私钥对密文进行解密,通过共模攻击解密 ...